CISA Flags Critical VMware RCE Flaw

The vulnerability, a command injection flaw, is exploitable only during a specific operational window: a support-assisted product migration. This high attack complexity is a key detail, but the lack of a need for authentication means any network-accessible appliance is at risk during that migration period. With a CVSS score of 8.1, this isn't just a theoretical issue. CISA's addition of CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog confirms active, real-world attacks are happening, though specific details on the threat actors remain unpublished. This RCE was patched alongside two other vulnerabilities in the same advisory: CVE-2026-22720, a stored cross-site scripting flaw, and CVE-2026-22721, a privilege escalation vulnerability. This highlights a multi-faceted update that secures Aria Operations against several potential attack vectors. Because Aria Operations serves as a central management plane for VMware Cloud Foundation and vSphere Foundation, a compromise could expose sensitive infrastructure data and grant high-level administrative access. This makes the flaw a high-priority issue for any team managing hybrid or virtualized environments. Broadcom's official advisory VMSA-2026-0001 details the fixes in Aria Operations 8.18.6, and VCF and vSphere Foundation 9.0.2.0. For systems that cannot be immediately updated, a temporary workaround shell script, "aria-ops-rce-workaround.sh", is available and must be run as root on each appliance node. The mandate for Federal Civilian Executive Branch agencies to patch this vulnerability is March 24, 2026. This CISA deadline underscores the urgency for all organizations, as VMware products are frequent targets for both nation-state actors and ransomware groups due to their critical role in datacenter management.